b'DOS Actions Regarding Internet Banking\n\n\n\n         Audit Report No. 99-043\n            October 27, 1999\n\n\n\n\n        OFFICE OF AUDITS\n\n OFFICE OF INSPECTOR GENERAL\n\x0cFederal Deposit Insurance Corporation                                                                   Office of Audits\nWashington, D.C. 20434                                                                      Office of Inspector General\n\n\n\n\n   DATE:            October 27, 1999\n\n   TO:              James L. Sexton, Director\n                    Division of Supervision\n\n\n\n   FROM:            David H. Loewenstein\n                    Assistant Inspector General\n\n   SUBJECT:         DOS Actions Regarding Internet Banking\n                    (Audit Report No. 99-043)\n\n   The Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) Office of Inspector General (OIG) has\n   completed an audit survey of the FDIC\xe2\x80\x99s actions regarding Internet banking. The Division of\n   Supervision (DOS) established electronic banking examination (EBE) procedures to address\n   evolving areas of electronic banking, including Internet banking. DOS\xe2\x80\x99s procedures generally\n   provide a sound framework for evaluating Internet banking practices at FDIC-supervised\n   financial institutions. However, our survey identified several opportunities to improve the\n   procedures and their implementation that, if adopted, will enhance DOS\xe2\x80\x99 supervisory activities\n   related to Internet banking.\n\n\n   BACKGROUND\n\n   Internet banking is the most recent aspect of electronic banking being pursued by the banking\n   industry. According to recent statistics reported by Ernst & Young, some level of Internet\n   services will be offered by 65 percent of U.S. banks during 1999, up from 18 percent in 1998 and\n   5 percent in 1997. Ernst & Young also projects that 52 percent of U.S. banks will assist\n   corporations in initiating transactions over the Internet, up from 13 percent in 1998 and 3 percent\n   in 1997. Such growth is attributable to the low product or service distribution costs characteristic\n   of the Internet.1 These decreased costs offer participating banks the opportunity to offer improved\n   services at lower costs to the consumer.\n\n   Prudent business acumen normally associates higher returns with higher risk. The same concepts\n   apply to financial institutions that offer Internet banking services to their customers. The\n   principal benefits of Internet access, namely its global reach and open architecture, present\n   significant security risks. These risks, along with an increased dependency on computers in\n   general, pose significant challenges to the banking industry. For example, recent intermittent\n   Web outages at one of the largest electronic bill payment service providers adversely impacted\n\n\n   1\n    Internet\'s E-conomy Gets Real, Mark Leibovich, Tim Smart, Lanthe Jeanne Dugan, The Washington Post, Page A1,\n   June 20, 1999.\n\n\n                                                          2\n\x0cnearly half a million customers at about 20 large banks.2\n\nAware of these trends, the U.S. General Accounting Office (GAO) recently completed an audit\nand issued a report entitled Electronic Banking: Enhancing Federal Oversight of Internet\nBanking Activities (GAO/GGD-99-91, July 1999). The report commended the FDIC for its\nproactive approach to examining Internet banking but cited an area that could benefit from\nmanagement\xe2\x80\x99s attention. This area is the need for greater examination coverage of outside\nservicers conducting Internet banking.\n\nTo address the growth and risk of Internet banking, DOS established its EBE procedures in\nJanuary 1997 and refined these procedures in June 1998. FDIC examiners use the EBE\nprocedures to guide them in evaluating Internet banking at financial institutions. DOS has also\nplayed a leading role in the FDIC\'s New Banking Technologies Task Force and CyberBanking\nSpeaker Series, both of which have contributed to raising the FDIC\'s level of awareness\nconcerning Internet banking and its related risks. Additionally, DOS has established an easy-to-\nuse FDIC Intranet Web site containing examiner aides such as a current list of known banks with\nan Internet presence. Furthermore, DOS uses three management systems to track information\nrelated to bank examinations involving Internet banking. They include the Electronic Banking\nOn Line Data Entry System (EBOLDES), the Banking On Line Tracking System (BITS), and the\nScheduling Hours and Reporting Package (SHARP).\n\nThe EBE procedures use three risk levels to categorize a bank\xe2\x80\x99s Internet activity and the\nassociated level of examination. Level one pertains to information-only sites that allow access to\ngeneral-purpose marketing and other publicly available information or the transmission of non-\nsensitive electronic mail. Level two relates to electronic information transfer systems that are\ninteractive in that they provide the ability to transmit sensitive messages, documents, or files\nbetween financial institutions and users. A level three designation is used for institutions that\nprovide transactional banking services, such as transferring funds. The results of the FDIC\'s\nInternet banking examinations are incorporated into the management component of the uniform\nfinancial institution rating used to measure an examined financial institution\'s safety and\nsoundness.\n\nThe Federal Financial Institutions Examination Council (FFIEC) Information Systems (IS)\nExamination Handbook and a draft version of comprehensive information technology (IT)\ntechnical procedures supplements the safety and soundness EBE procedures. These technical\nprocedures are intended for use by electronic banking subject matter experts (ESME) or IS\nexamination specialists. To support the implementation of these procedures, DOS established an\nEBE procedures training program and an ESME program. DOS intends for the ESME program\nto supplement DOS\xe2\x80\x99s IS examiners by creating a group of safety and soundness examination\nstaff proficient in examining electronic banking technology. The FDIC employed 197 ESMEs at\nthe commencement of our survey, including IS examination specialists at the regional and field\noffice levels.\n\n\n\n2\n Computer Glitch At CheckFree Snags Online Banking, Rebecca Buckman, The Wall Street Journal, Page 10,\nApril 29, 1999.\n\n                                                       2\n\x0cDOS temporarily discontinued ESME training during 1999 to focus its resources on Year 2000\nissues. Additionally, ESMEs in DOS\xe2\x80\x99s Atlanta, Boston, and Dallas regional offices indicated\nthat they had devoted little time to Internet banking activity in light of the Corporation\xe2\x80\x99s focus on\nYear 2000 issues. DOS indicated that it plans to resume ESME training in 2000.\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of our survey was to identify and evaluate DOS practices regarding Internet\nbanking to determine the nature, timing, and extent of audit procedures needed to further\nevaluate the effectiveness and efficiencies of these practices. To address this objective, we\nevaluated the (1) effectiveness of the DOS EBE procedures as applied to Internet banking and\n(2) degree to which DOS examiners were following EBE procedures during Internet banking\nexaminations.\n\nWe interviewed FDIC personnel from DOS\xe2\x80\x99s Planning and Program Development and Operations\nSections in Washington, D.C. We also interviewed DOS examination staff in Atlanta, Georgia;\nBoston, Massachusetts; and Dallas, Texas. We reviewed DOS\xe2\x80\x99s EBE procedures and safety and\nsoundness Internet banking examination results contained within EBOLDES, BITS, and SHARP.\nWe also reviewed three sets of working papers representing levels one, two, and three Internet\nbanking examinations. Furthermore, we interviewed GAO representatives who had previously\nconducted a review of electronic banking examinations so that we could avoid duplicating their\nwork.\n\nOur survey focused on safety and soundness examinations involving Internet banking conducted\nbetween January 1, 1999 and February 28, 1999 so that our work would supplement the work\nperformed by GAO and provide enhanced value to DOS. This focus also increased assurance\nthat our conclusions regarding institution Web sites would be based on conditions similar to\nthose encountered by DOS during examinations conducted in a comparable time frame to the\noriginal examination dates. We judgmentally sampled 3 of 54 safety and soundness\nexaminations involving Internet banking to verify whether the examinations conformed to EBE\nprocedures. We also determined for this same time frame whether Internet banking existed at\nexamined financial institutions previously reported as having none and whether examination\nlevels applied to Internet banking activity were consistent with DOS policy. During our survey,\nwe documented our understanding of DOS\xe2\x80\x99s Internet banking examination process using a\ncontrol flowchart. At DOS\xe2\x80\x99s request, we provided a copy of the flowchart for use in DOS\ntraining initiatives. We conducted our audit survey between January 1999 and May 1999 in\naccordance with generally accepted government auditing standards.\n\nBased on our survey, we determined that further audit work would provide increased value to DOS\nif we delayed it until DOS had the opportunity to address the issues described in this report. The\nextensive use of outside service providers by banks offering Internet banking, the limited number of\nservicer examinations, and needed improvements in the structure and content of examination\nworking papers reduced the value of conducting additional audit work at this time. After allowing\ntime for DOS\xe2\x80\x99s program to mature and incorporate what we view as needed enhancements, we will\nrevisit such an audit within the next 12 to 18 months to assess the effectiveness of the Internet\n\n\n                                                 3\n\x0cbanking examination process. This audit would more thoroughly evaluate examination working\npapers and other factors related to the implementation of the DOS examination program.\n\n\nRESULTS OF AUDIT SURVEY\n\nAlthough our survey was based on a limited sample of DOS Internet banking activities, our\nobservations indicate that DOS\xe2\x80\x99s Internet banking examination process provides a sound\nframework for examining Internet banking at financial institutions supervised by the FDIC. In\naddition, DOS\xe2\x80\x99s application process for deposit insurance addresses new banks that are totally\nInternet-based. Further, DOS has established EBE procedures that should contribute to effective\nexaminations, and most examiners have received training on these procedures. DOS also\nestablished a review process for examination reports disclosing Internet banking issues and a\ncentral repository to track the results of examinations involving Internet banking.\n\nWhile these actions are positive and reflect DOS\'s awareness of the increasing impact of Internet\nbanking on the safety and soundness of financial institutions, we identified opportunities to\nenhance the Internet banking examination process. DOS\xe2\x80\x99s implementation of planning\nprocedures can be refined to ensure that examiners use the Internet and the FDIC intranet during\nexamination planning to identify Internet banking activities of institutions scheduled for\nexamination. EBE procedures can also be expanded to instruct examiners how and when to\nmake key determinations and to improve EBOLDES data integrity. In addition, the EBE\nprocedures can be clarified to ensure documented examination determinations, the use of scoping\nor planning memorandums, and independent work paper reviews.\n\nWe also noted an issue similar to one reported by GAO regarding examination coverage of\nInternet banking service providers. Specifically, DOS had not performed examinations of most\nservice providers that supported institutions offering transactional Internet banking services.\nBecause GAO addressed this issue, we are not including any recommendations in this report.\nHowever, we encourage DOS, working in conjunction with the FFIEC, to continue its efforts to\nestablish an examination program for Internet banking service providers.\n\n\nIMPLEMENTATION OF PLANNING PROCEDURES COULD BE IMPROVED\n\nExaminers did not always take advantage of available Internet and FDIC Intranet resources\nduring examination planning to determine whether the bank to be examined had an Internet\npresence and the extent of services offered. For the three exams selected for review during our\nsurvey, we noted no evidence that examiners had used available Internet and FDIC Intranet\nresources during pre-examination planning. Subsequent discussions with the examination teams\nindicated that they had not checked for the existence or extent of the institution\xe2\x80\x99s Internet\npresence during exam planning.\n\nAlthough EBE procedures suggest that examiners use the Internet and FDIC Intranet during\nexamination planning to determine whether institutions to be examined have an Internet presence\nand the extent of services offered through such a presence, they do not require such use. In\n\n\n                                               4\n\x0caddition, EBE procedures did not require that Internet banking examination planning be\ndocumented through a scoping or planning memorandum. The limited amount of time expended\non examinations may have contributed to examiners not using the Internet and FDIC Intranet.\nDuring the first quarter of 1999, average time spent on Internet banking portions of examinations\nranged from 3.6 hours to 14.1 hours as reported in SHARP.\n\nIndependent verification of information provided by financial institutions can enhance DOS\xe2\x80\x99s\nknowledge and understanding of institution operations during the planning process and can assist\nmanagement in scheduling and assigning appropriate resources. DOS examiners did not identify\nInternet banking activity for 4 of 26 institution examinations sampled (see table 1). In addition,\nexaminers did not perform the level of examination procedures consistent with transactional\nInternet banking at 3 of 10 institutions sampled (see table 2).\n\nTable 1: Instances of Overlooked Internet Banking\n    Number              Comments\n                        Fully Transactional Site (level three) included on 1/29/99\n    Sample Bank 1       FDIC List of Internet Banks.\n                        Information Only Site (level one) in which both site\n                        content and bank personnel substantiate site\'s existence at\n                        time of exam. Omitted from 1/29/99 FDIC List of Internet\n    Sample Bank 2       Banks.\n                        Information Only Site (level one) in which bank personnel\n                        substantiate site\'s existence at time of exam. Omitted\n    Sample Bank 3       from 1/29/99 FDIC List of Internet Banks.\n                        Information Only Site (level one) included on 1/29/99\n    Sample Bank 4       FDIC List of Internet Banks.\n                        From a sample size of 26 examinations during the\n                        period of 1/1/99 to 2/28/99 (15% error rate) reporting\n    Total 4             no internet banking presence.\n   Source: EBOLDES and OIG analysis.\n\n\n\n\n                                                5\n\x0cTable 2: Instances of Internet Banking Exam Level Non-Performance\n    Number               Comments\n                         Examiner noted within EBOLDES that site was\n                         transactional but performed only level-two exam without\n    Sample Bank 1        explanation.\n                         Examiner noted within EBOLDES that funds transfer\n                         capability existed but performed only level-two exam\n    Sample Bank 2        without explanation.\n                         Examiner noted within EBOLDES that funds transfer\n                         capability existed but performed only level-two exam\n    Sample Bank 3        without explanation.\n                         From a sample size of 10 examinations during the\n                         period of 1/1/99 to 2/28/99 (30% error rate) reporting\n    Total 3              an Internet banking presence.\n   Source: EBOLDES and OIG analysis.\n\nIn addition to not addressing prevailing risk by overlooking or understating Internet banking\nactivity and omitting examination procedures, DOS\xe2\x80\x99s ability to effectively plan for upcoming\nexaminations was impacted. Incomplete planning can reduce or preclude the needed\ninvolvement of ESMEs and IS exam specialists in examinations.\n\n\nRecommendations\n\nWe recommend that the Director, DOS, ensure that:\n\n(1)    Examiners use the Internet and FDIC Intranet during exam planning to correctly identify\n       the existence of and apply the examination procedures consistent with the Internet\n       banking activities at financial institutions.\n\n(2)    EBE training emphasizes using the Internet and FDIC Intranet during the planning phase\n       of future electronic banking examinations.\n\n(3)    Examiners document their research of institution Internet banking activity within\n       examination working papers and scoping or planning memorandums.\n\n\nELECTRONIC BANKING EXAMINATION PROCEDURES NEED EXPANSION AND\nCLARIFICATION\n\nDOS\xe2\x80\x99s EBE procedures can be improved to assist examiners in determining and documenting\nwhether an institution\'s Internet banking site is connected to its internal computer systems and\nwhen to make this and other key examination determinations.\n\n\n\n\n                                                 6\n\x0cDOS\xe2\x80\x99s EBE procedures address several key examiner determinations to be made during the\nInternet banking examination process. Such determinations include whether (1) Internet banking\nexists, (2) the institution\'s Internet banking site is connected to its internal computer systems, (3)\nthe Internet banking offered is information only, information exchange or transactional, and (4)\nan ESME or IS examination specialist should be consulted during the planning and performance\nof the examination. Key examiner determinations should be documented because they govern\nthe level of examination coverage and provide support for examiner decisions. Documentation\nalso facilitates supervisory review of the decision-making process and provides assurance that\nthe examination was conducted in accordance with management\'s intentions.\n\nDOS can improve documentation related to key examination determinations. The DOS Internet\nbanking examination working papers reviewed did not consistently provide a viable audit trail to\nfacilitate management review of the examination process. Work programs were incomplete and\nsupporting exhibits unavailable for some conclusions in all three sets of working papers. For\nexample, four relevant pages of the core analysis work program, which forms the basis for\nexaminer conclusions on Internet banking capabilities and risk, were not completed for one\nexamination. In a second examination, the core analysis procedure called for determining the\nadequacy of the electronic banking security program but was marked as not applicable. A third\nset of working papers contained no response for the procedure that called for determining\nwhether management verifies the accuracy and content of interactive programs. By enhancing\ndocumentation of key determinations and the actions taken while making these determinations,\nDOS can further enhance confidence in examination results.\n\nDetermining whether Internet banking exists is the first step in ascertaining whether to apply\nInternet banking exam procedures during a planned examination. This step involves verifying\nwhether the bank has an Internet presence via the Internet and FDIC Intranet and confirming the\ncurrency of references to Internet banking, if any, from previous examinations. None of the\nthree sets of examination working papers reviewed during our survey contained evidence of such\na verification during examination planning. Subsequent discussions with examiners indicated\nthat the verifications were not performed.\n\nAfter determining whether an institution has an Internet presence and the level of activities\nassociated with such a presence, the examiner must determine the related risk. The first factor in\nassessing the risk posed by an institution\'s Internet banking activity is determining whether\nconnectivity exists between an institution\'s Internet banking site and its internal computer\nsystems. This determination dictates the level of technical expertise needed by examination\npersonnel to evaluate the Internet banking activity and influences the timing and extent of an\nESME or IS examination specialist\'s involvement on the exam. None of the three sets of\nexamination working papers that we reviewed contained evidence of such an analysis.\n\nThe next factor in assessing risk associated with an institution\xe2\x80\x99s Internet banking activity\ninvolves determining whether an Internet banking site is information only, information exchange\nor transactional. An informational Internet site is limited to the display of information related to\na bank and its customers. Transactional sites permit customers to transfer information and\nprocess financial transactions. As noted in our previous audit condition, examiners experienced\nsome difficulty making this determination.\n\n\n                                                  7\n\x0cFinally, the examiner must determine whether and when an ESME or IS examination specialist\nshould be consulted to ensure that the requisite technical expertise is applied to the examination\non a timely basis. Such involvement ensures that the examination team applies the necessary\ntechnical examination procedures and addresses all applicable Internet banking exposures.\nConsultation between the safety and soundness examiner and ESME was not documented in any\nof the three sets of working papers reviewed. In addition, two of the three sets of working papers\ndid not conform with DOS EBE procedures regarding the review level performed. For example,\nthe examination working papers for a level-three examination contained no evidence of a\ntechnical review by a designated ESME or IS exam specialist or an explanation describing why\nthe exam team omitted the technical review.\n\nAlthough DOS\xe2\x80\x99s EBE procedures encourage performing and documenting the determinations\ndescribed, they do not require them. Additionally, the procedures do not require a review of\nInternet banking examination working papers to ensure their quality. Evidence of ESME, IS\nexam specialist, or other review was not reflected in the working papers reviewed during this\nsurvey. We believe that the lack of documentation and independent review for these\nexaminations was caused, at least in part, by DOS not requiring these actions. As a result,\nworking paper conclusions and the report of examination were not consistent for two of the three\nsets of working papers reviewed. In one case, examination conclusions noted inadequate\nelectronic banking policy and the report identified the matter as requiring the attention of the\nfinancial institution\xe2\x80\x99s Board of Directors. However, the examiner assigned a management\ncomponent rating of one, the best rating available. In another instance, the examiner\xe2\x80\x99s working\npapers contained only an expired contract with the institution\xe2\x80\x99s servicer and the examiner\nomitted evidence of a review of this servicer\'s security or virus protection. However, the\nexamination report\'s risk management section for electronic banking indicated that the bank\'s\nInternet site through the servicer was adequately controlled and that it used both virus protection\nand security software.\n\nRecommendations\n\nWe recommend that the Director, DOS, ensure that:\n\n(4)    EBE procedures are revised to require: (a) detailed instructions on determining the\n      connectivity between an institution\'s Internet banking site and its internal computer\n      systems and when to make this and other key examination determinations; (b) key\n      Internet banking examination process determinations be documented within the working\n      papers; and (c) Internet banking examination working papers and reports be\n      independently reviewed and that evidence of this review be retained in the working\n      papers.\n\n\n\n\n                                                 8\n\x0cCONCLUSION\n\nIn recognition of the substantial risk that Internet banking poses to the banking industry, DOS,\nthrough its EBE procedures, has established a sound framework for evaluating Internet banking\nat supervised financial institutions. However, the noted opportunities for improvement are\ncritical to ensuring effective implementation of this framework. Along with the GAO, we also\nencourage DOS to continue its efforts to establish an examination program for Internet banking\nservice providers.\n\nAdditional audit work will provide more benefit to DOS if we delay it because of the extensive\nuse of outside service providers by banks offering Internet banking, the limited number of\ncurrent servicer examinations, and needed improvements in the structure and content of\nexamination working papers. After allowing time for DOS\xe2\x80\x99s program to mature and incorporate\nwhat we view as needed enhancements, we will revisit pursuing such an audit to further assess\nthe effectiveness of the Internet banking examination process. This audit would be based on a\nmore complete evaluation of examination working papers and other factors related to the\nimplementation of DOS\xe2\x80\x99s examination program.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn October 14, 1999, the Director, DOS, provided a written response to the draft report. The\nresponse is presented in appendix I of this report. The Director, DOS, stated that he would\ncomplete actions to address the report\'s findings by September 30, 2000.\n\nThe Corporation\xe2\x80\x99s response to the draft report provided the elements necessary for management\ndecisions on the report\xe2\x80\x99s recommendations. Therefore, no further response to this report is\nnecessary. Appendix II presents management\xe2\x80\x99s proposed action on our recommendations and\nshows that there is a management decision for each recommendation in this report.\n\n\n\n\n                                                9\n\x0c                                                                                      APPENDIX I\n                                 CORPORATION COMMENTS\n\n         Federal Deposit Insurance Corporation\n         550 17th Street, NW, Washington, DC 20429                                     Division of Supervision\n\n\n\n\n                                                              October 14, 1999\n\n\nMEMORANDUM TO:                    Steven A. Switzer\n                                  Deputy Inspector General\n\n\nFROM:                             James L. Sexton\n                                  Director\n\nSUBJECT:                          OIG Draft Report: DOS Actions Regarding Internet Banking\n\n\nThe Division of Supervision (DOS) is pleased to provide our official response to the Office of\nInspector General\xe2\x80\x99s (OIG) draft report entitled, DOS Actions Regarding Internet Banking. Our\nresponse addresses the specific findings of the report and also outlines DOS\xe2\x80\x99 plans for\nimplementing corrective action relative to the four recommendations that are contained in the\nreport.\n\nGENERAL COMMENTS\n\nIn general, DOS agrees with the findings and observations presented by the OIG in the draft\nreport. In particular, we recognize the OIG\xe2\x80\x99s observation that DOS has established a \xe2\x80\x9csound\nframework for evaluating Internet banking practices at FDIC-supervised financial institutions.\xe2\x80\x9d\nThis finding is consistent with the comments expressed by the GAO in their recent audit of\nInternet banking activities and regulatory oversight.\n\nThe OIG\xe2\x80\x99s report summarizes an audit survey that consisted of limited staff interviews, review of\ninternal guidance and procedures related to electronic banking, research of certain examination\ndatabases, and review of three sets of examination work papers. The stated objective of the\nsurvey was to \xe2\x80\x9cidentify and evaluate DOS practices regarding Internet banking to determine the\nnature, timing, and extent of audit procedures needed to further evaluate the effectiveness and\nefficiencies of these practices.\xe2\x80\x9d Ultimately, the OIG determined that further audit work would be\nmore effective if delayed pending DOS\xe2\x80\x99 opportunity to address certain issues and implement\nrelated OIG recommendations.\n\nDOS agrees that a delay of further audit work would be appropriate. However, the OIG\xe2\x80\x99s\nproposal to revisit the area for a full audit within the next 12 to 18 months leaves limited time for\nthe implementation of corrective action. DOS would therefore like to propose that the audit\ncommence no earlier than 18 months from the date that the final version of the subject report is\nissued.\n\n\n                                                     10\n\x0c            COMMENTS ON AUDIT SURVEY BACKGROUND AND RESULTS\n\n            Upon close review of the draft report, DOS staff identified a few points that are worthy of\n            comment or clarification. Specific comments are provided below:\n\n            The draft report notes (on page three) that the GAO recently completed an audit of regulatory\n            oversight of Internet banking and recommended that the FDIC address the need for greater\n            examination coverage of third party vendors offering Internet banking services. DOS would like\n            to note that the GAO\xe2\x80\x99s recommendation was directed at all of the Federal banking agencies, not\n            just the FDIC. Also, the banking agencies, through the FFIEC Information Systems\n            Subcommittee, have already implemented a supervisory program addressing Internet banking\n            vendors.\n\n            On page three, the draft report references three DOS management systems that \xe2\x80\x9ctrack\n            information related to bank examinations involving Internet banking.\xe2\x80\x9d These systems are\n            identified as the Electronic Banking Data Entry System, the Bank Information Tracking System\n  See       (BITS), and the Scheduling Hours and Reporting Package (SHARP). It should be clarified that\nComment 1\n below\n            BITS and SHARP serve purposes entirely unrelated to electronic banking examination activity.\n            BITS contains data derived from banks\xe2\x80\x99 financial performance and examinations; however, no\n            specific electronic banking data is tracked in BITS. Similarly, SHARP contains information\n            pertaining to examination activities and work hours; however, the only data relevant to the area\n            of electronic banking consists of examiner hours spent on electronic banking activities.\n\n  See       A comment on page three implies that the Electronic Banking Examination Procedures use three\nComment 2   \xe2\x80\x9crisk levels to categorize a bank\xe2\x80\x99s Internet activity and the associated level of examination.\xe2\x80\x9d\n below      DOS would like to clarify that the Electronic Banking Examination Procedures use three levels\n            to define the functionality of electronic banking systems. These levels are based on the\n            capabilities permitted by the system and are intended to guide examiners in performing an\n            appropriate scope of review. The degree of risk inherent in a given system does not singularly\n            depend on the level of functionality; rather, it depends on management\xe2\x80\x99s implementation of\n            appropriate controls and procedures. This distinction is important in light of DOS\xe2\x80\x99 risk-based\n            approach to examination and reliance on examiner judgement.\n\n            Page four of the draft report references technical examination guidance on the subject of\n            electronic banking. A \xe2\x80\x9cdraft version of comprehensive information technology technical\n            procedures supplements the safety and soundness procedures\xe2\x80\x9d is mentioned. It should be\n            clarified that DOS has developed three draft technical work programs that address the Unix\n            operating system, the NT operating system, and firewalls. These three work programs were\n            introduced in 1997 and remain in the field testing stage.\n\n            Comment 1: While BITS and SHARP serve several purposes, the fact that they are\n            management information systems that report upon all DOS bank examinations makes them\n            relevant to Internet banking examinations.\n\n            Comment 2: Risk is inherent to DOS\xe2\x80\x99s method of categorizing a bank\xe2\x80\x99s Internet activity, as\n            well as examining that activity.\n\n\n                                                            11\n\x0cRESPONSE TO RECOMMENDATIONS\n\nThe following summarizes DOS\xe2\x80\x99 response to the four specific recommendations outlined in the\nOIG\xe2\x80\x99s draft report. As required by the conditions of the Inspector General Act, as amended, and\nrelated guidance, our response addresses: (1) the specific corrective actions already taken, if\napplicable; (2) corrective actions to be taken along with the expected completion date for their\nimplementation; and (3) documentation that will confirm completion of corrective actions.\n\nThree recommendations are specifically targeted at field examiners\xe2\x80\x99 implementation of the DOS\nSafety and Soundness Electronic Banking Examination Procedures. These recommendations\ninclude ensuring that: (1) examiners use the Internet and FDICnet during examination planning\nto identify Internet banking activities and apply appropriate procedures; (2) electronic banking\ntraining emphasizes use of the FDICnet and Internet during the exam planning phase; and (3)\nexaminers document their research of Internet banking activity within examination work papers\nand planning memoranda. DOS generally agrees with these recommendations and plans to take\ncorresponding action.\n\nSpecific Corrective Actions Already Taken:\n\nInitiatives to alert DOS examination staff to the importance of using internal resources, such as\nthe FDICnet, to identify Internet banking have already been initiated. During two recent regional\ntraining conferences (New York Region and San Francisco Region), breakout sessions were\nconducted on electronic banking. During these sessions, examiners were reminded to utilize\nspecific tools such as the Electronic Banking Data Entry System and internal lists of known\nInternet banks during the pre-exam process. Once examiners identify Internet banking, they\nhave been directed to review the bank\xe2\x80\x99s Internet site to determine the extent of its functionality.\n\nAlso, all DOS assistant examiners that attend the Introduction to Examinations core training\nsession receive instruction on electronic banking and the Electronic Banking Examination\nProcedures. During these sessions, the attendees are reminded to use the FDICnet and the\nInternet to identify Internet banking activities during the pre-examination process.\n\nCorrective Actions to be Taken and Related Timeline:\n\nTo ensure that examiners utilize resources available on the FDICnet, and in turn, review the\nbank\xe2\x80\x99s web site on the Internet, the list of risk scoping activities utilized by safety and soundness\nexaminers will be updated to address this activity. Specifically, the practice of reviewing the\nElectronic Banking Data Entry System for evidence of electronic banking will be added to the\nlist of pre-examination activities that are outlined in the Examination Documentation (ED)\nmodules. This addition will be completed in the next regularly scheduled update to the ED\nmodules, which occurs in January 2000.\n\nWith respect to examiner training, DOS is anticipating \xe2\x80\x9crefresher\xe2\x80\x9d electronic banking training for\nsafety and soundness examiners. We expect to begin training during the summer of 2000. The\ntraining will provide an opportunity to enhance examiner awareness of electronic banking in\ngeneral and clarify issues related to the Electronic Banking Examination Procedures. Items such\n\n\n                                                 12\n\x0cas pre-examination activities would be emphasized during the training. DOS plans to determine\nan appropriate and feasible training strategy in early 2000. A variety of approaches and venues\nwill be considered which take into account other DOS training initiatives and commitments. A\nplan, detailing the objectives, content, and schedule for the electronic banking training, will be\ncompleted in early 2000.\n\nThe DOS Manual of Examination Policies contains a section on work paper documentation that\nprovides general guidance and direction on work paper development and retention. However,\nthe section does not specifically enumerate certain documents that must be retained at every\nexamination. Given the wide range of examination procedures and activities conducted at safety\nand soundness examinations and the variety of financial institutions examined, such specificity\nwould not be meaningful in all situations. However, guidance on electronic banking related\nwork papers will be incorporated into the existing Electronic Banking Section of the DOS\nManual. This guidance will state that the electronic banking work papers should contain\ndocumentation to support that examiners have reviewed available resources to identify the\nexistence and extent of Internet banking activities. Revisions to the Electronic Banking Section\nof the manual will be incorporated into the next regularly scheduled update, which will occur in\nthe first quarter of 2000.\n\nDocumentation Confirming Completion of Corrective Actions:\n\nDocumentation that will confirm DOS\xe2\x80\x99 completion of corrective actions will include the\nfollowing:\n\nPage 1 of the Risk Scoping Activities Module in ED will be updated to include the item,\n\xe2\x80\x9cElectronic Banking Data Entry System.\xe2\x80\x9d A copy of the updated document will be provided to\nthe OIG as evidence that appropriate corrective action has been completed.\n\nMaterials describing DOS plans for electronic banking \xe2\x80\x9crefresher\xe2\x80\x9d training will be provided to\nthe OIG to demonstrate the content of the sessions and confirm that pre-examination activities\nwere properly addressed. These materials will be made available when the training plans have\nbeen formalized in the first quarter of 2000.\n\nIn connection with the next regularly scheduled update to the DOS Manual of Examination\nPolicies, the Electronic Banking Section will be updated to include guidance related to work\npaper documentation. A copy of the updated section will be forwarded to the OIG as\nconfirmation that appropriate corrective action has been completed.\n\nThe draft report also contained a fourth recommendation addressing the content of the Electronic\nBanking Examination Procedures. This multi-part item involves revising the procedures to\nprovide: (a) detailed instructions for determining the connectivity between an institution\xe2\x80\x99s\nInternet banking site and its internal computer systems and when to make this and other key\nexamination decisions; (b) directions for documenting key process determinations within the\nwork papers; and (c) requirements that Internet banking examination work papers and reports be\nindependently reviewed and that the review be documented in the work papers. DOS generally\nagrees that enhanced instructions regarding the determination of connectivity between an\n\n\n                                                13\n\x0cinstitution\xe2\x80\x99s Internet banking site and its internal computer systems would be beneficial.\nGuidance regarding other key determinations, such as consultation with Electronic Banking\nSubject Matter Experts could also be improved.\n\nSpecific Corrective Actions Already Taken:\nDOS has already commenced the process of soliciting field examiner input on improvements to\nthe Electronic Banking Examination Procedures Module in ED. Examiners have specifically\nbeen asked about the clarity of instructions regarding the determination of connectivity between\na bank\xe2\x80\x99s Internet system and its internal operations. Examiners have also been asked to\ncomment on other key issues such as instructions regarding the three levels of review and\nconsultations with specialists. Examiner input will be incorporated into the next revision of the\nElectronic Banking Examination Procedures in the ED update scheduled for the first quarter of\n2000.\n\nCorrective Actions to be Taken and Related Timeline:\nParts (a) and (b) of recommendation #4 will be addressed via a combination of updates to the\nElectronic Banking Examination Procedures and the Electronic Banking Section of the DOS\nManual of Examination Policies. Part (c) of recommendation #4 will be addressed via DOS\xe2\x80\x99\nexisting field office audit program. In order to ensure that technical aspects of the electronic\nbanking review were properly addressed, personnel conducting the review of electronic banking\nwork papers will consult with Electronic Banking Subject Matter Experts as needed. Although\nsome regional offices already incorporate electronic banking in their field office review\nprograms, instruction will be provided to the regional directors to ensure that all field office\nreview programs encompass such activities. Written guidance will be issued to the eight\nregional directors by year-end 1999.\n\nDocumentation Confirming Completion of Corrective Actions:\nDocumentation confirming the completion of parts (a) and (b) of recommendation #4 will consist\nof updates to the existing Electronic Banking Examination Module in ED and the Electronic\nBanking Section of the DOS Manual. Copies of the amended materials will be forwarded to the\nOIG as confirmation that corrective action has been implemented.\n\nActivities addressing part (c) of recommendation #4 will consist of enhancements to the DOS\nfield office audit programs to incorporate a review of electronic banking examination work\npapers. A memorandum will be issued to the regional directors updating field office review\nguidance. The OIG will be provided with a copy.\n\nCONCLUDING COMMENTS\n\nDOS appreciates the opportunity to comment on the observations and findings from the OIG\xe2\x80\x99s\naudit survey of the Internet banking area. We fully intend to appropriately implement the\nspecific recommendations and will provide relevant documents to the OIG that will confirm the\ncompletion of corrective action.\n\nDOS agrees with the OIG that Internet banking will continue to play an increasingly important\nrole in the delivery of financial products and services in the future. DOS is committed to\n\n\n                                                14\n\x0ckeeping pace with the risks and supervisory challenges that are presented by developments in\nbanking technology. Enhancements to electronic banking and other information systems\nexamination programs will be considered and implemented as needed to address relevant\nindustry trends.\n\nPlease direct any questions regarding this response to Examination Specialists Cynthia Bonnette\nor Phyllis Zumbrun.\n\ncc:\nMr. Zamorski\nMr. Schmidt\nMs. Frank\nMr. Snyder\nMr. Lane\nMs. Koechel\nMr. Walsh\nMr. Cook\nMs. Zumbrun\n\n\n\n\n                                              15\n\x0c                                                                                                                                       APPENDIX II\n                                                                 Management Decision Table\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its\nsemiannual reports to the Congress. To consider FDIC\'s responses as management decisions in accordance with the act and related guidance, several\nconditions are necessary. First, the response must describe for each recommendation\n\n\xc2\xa7     the specific corrective actions already taken, if applicable;\n\xc2\xa7     corrective actions to be taken together with the expected completion dates for their implementation; and\n\xc2\xa7     documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for\nany disagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\'s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\'s descriptions of (1) the course of action already taken or proposed and (2) the documentation\nconfirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The\ninformation for management decisions is based on management\xe2\x80\x99s written responses to our report and subsequent discussions with management\nrepresentatives.\n\n                                                                                 Expected\n    Rec.                                                                        Completion    Documentation That Will Confirm        Management\n    No.              Corrective Action: Taken or Planned                           Date                Final Action                   Decision\n\n     1.    The Corporation agreed with the recommendation. To ensure            January 31,   DOS electronic banking examination        Yes\n           that examiners utilize resources available on the FDICnet, and in       2000       work papers and planning memorandums\n           turn, review the bank\'s web site on the Internet, the list of risk\n           scoping activities utilized by safety and soundness examiners\n           will be updated to address this activity. The practice of\n           reviewing the Electronic Banking Data Entry System for\n           evidence of electronic banking will be added to the list of pre-\n           examination activities that are outlined in the Examination\n           Documentation modules.\n\n\n\n\n                                                                                 16\n\x0c                                                                              Expected\nRec.                                                                         Completion      Documentation That Will Confirm        Management\nNo.              Corrective Action: Taken or Planned                            Date                  Final Action                   Decision\n\n 2.    The Corporation agreed with the recommendation. Initiatives to        September 30,   DOS electronic banking examination        Yes\n       alert DOS examination staff to the importance of using internal           2000        training plans and materials\n       resources, such as the FDICnet, to identify Internet banking have\n       already been initiated such as during two recent regional training\n       conferences in New York and San Francisco. Also, during\n       Introduction to Examinations core training, assistant examiners\n       are reminded to use the FDICnet and the Internet to identify\n       Internet banking activities during the pre-examination process.\n       DOS is anticipating "refresher" electronic banking training for\n       safety and soundness examiners, where pre-examination\n       activities will be emphasized, which will begin during the\n       summer of 2000. A plan, detailing the objectives, content and\n       schedule for this electronic banking training, will be completed\n       in early 2000.\n\n 3.    The Corporation agreed with the recommendation. Guidance on            March 31,      DOS electronic banking examination        Yes\n       electronic banking related work papers will be incorporated into        2000          procedures, work papers and planning\n       the existing Electronic Banking Section of the DOS Manual.                            memorandums\n       This guidance will state that that the electronic banking work\n       papers should contain documentation to support that examiners\n       have reviewed available resources to identify the existence and\n       extent of Internet banking activities.\n\n 4.    The Corporation agreed with the recommendation. The                    March 31,      DOS electronic banking examination        Yes\n       recommendation will be addressed via a combination of updates           2000          policies and procedures\n       to the Electronic Banking Examination Procedures and the\n       Electronic Banking Section of the DOS Manual of Examination                           Memorandum to Regional Directors.\n       Policies. In addition, instruction will be provided to the regional\n       directors to ensure that all field office review programs now\n       incorporate electronic banking activities.\n\n\n\n\n                                                                              17\n\x0c'